Enable or Disable System Integrity Protection Rootless in Mac OS X
Apple has enabled a new default security oriented featured called System Integrity Protection, often called rootless, in Mac OS from versions 10.11 onward. The rootless feature is aimed at preventing Mac OS X compromise by malicious code, whether intentionally or accidentally, and essentially what SIP does is lock down specific system level locations in the file system while simultaneously preventing certain processes from attaching to system-level processes.
While the System Integrity Protection security feature is effective and the vast majority of Mac users should leave rootless enabled, some advanced Mac users may find rootless to be overly protective. Thus, if you’re in the group of advanced Mac users who do not want SIP rootless enabled on their OS X installation, we’ll show you how to turn this security feature off.
For those wondering, System Integrity Protection locks down the following system level directories in Mac OS X:
/System /sbin /usr (with the exception of /usr/local subdirectory)
Accordingly, rootless may cause some apps, utilities, and scripts to not function at all, even with sudo privelege, root user enabled, or admin access.
Turning Off Rootless System Integrity Protection in Mac OS X
Again, the vast majority of Mac users should not disable rootless. Disabling rootless is aimed exclusively at advanced Mac users. Do so at your own risk, this is not specifically recommended.
Reboot the Mac and hold down
Command + R keys simultaneously after you hear the startup chime, this will boot OS X into Recovery Mode
When the “OS X Utilities” screen appears, pull down the ‘Utilities’ menu at the top of the screen instead, and choose “Terminal”
Type the following command into the terminal then hit return:
csrutil disable; reboot
You’ll see a message saying that System Integrity Protection has been disabled and the Mac needs to restart for changes to take effect, and the Mac will then reboot itself automatically, just let it boot up as normal
You can also issue the command by itself without the automatic reboot like so:
By the way, if you’re interested in disabling rootless, you may also want to disable Gatekeeper while you’re in the command line too.
If you plan on doing something else in the Terminal or OS X Utilities screen you may want to leave off the auto-reboot command at the end, and yes, in case you were wondering, this is the same recovery mode used to reinstall OS X with Internet Recovery.
Once the Mac boots up again, System Integrity Protection will be disabled entirely in Mac OS X.
Checking the Status of Rootless / System Integrity Protection in Mac OS X
If you want to know the status of rootless before rebooting or without rebooting the Mac into recovery mode, just issue the following command into the Terminal:
You’ll either see one of two messages, enabled indi:
$ csrutil status System Integrity Protection status: enabled.
$ csrutil status System Integrity Protection status: disabled
If at any time you wish to change the status of rootless, another reboot into Recovery Mode is required.
How to Re-Enable Rootless System Integrity Protection in Mac OS X
Simply reboot the Mac again into Recovery Mode as directed above, but at the command line use the following syntax instead:
Just as before, a reboot of the Mac is required for changes to take effect.
As previously stated, the vast majority of Mac users should leave rootless enabled and embrace System Integrity Protection, as most Mac OS X users have no business in the system level directories anyway. Adjusting this feature is really aimed at advanced Mac users, whether IT, sysadmins, network administrators, developers, tinkerers, security operations, and other related highly technical fields.